PsExec is a command-line tool that allows users to run programs on remote systems. It can be used to execute remote commands, scripts, and applications on remote systems, as well as to launch GUI-based applications on remote systems.
PsExec uses the Microsoft Windows Service Control Manager (SCM) to start an instance of the service on the remote system, which allows the tool to run the specified command or application with the account’s privileges of the service account on the remote system.
In order to establish the connection, the remote user should have access privileges to the target machine and provide the name of the target machine, as well as his username and password in the following format:
PsExec -s \\MACHINE-NAME -u USERNAME -p PASSWORD COMMAND (the process to be executed following establishing the connection).
PsExec is a powerful command-line tool used primarily for remote administration and execution of processes on Windows systems. It allows system administrators and security professionals to execute commands or run programs on remote computers in a networked environment. Here are some common use cases for PsExec:
Remote System Administration: PsExec enables administrators to remotely manage and administer multiple Windows systems without the need for physical access. It allows them to execute commands, run scripts, install software, modify system configurations, and perform various administrative tasks on remote machines from a central location.
Software Deployment and Updates: With PsExec, administrators can remotely deploy software packages, patches, or updates across multiple computers simultaneously. This feature is particularly useful in large-scale environments where manual installation on individual systems would be time-consuming and impractical.
Troubleshooting and Diagnostics: PsExec can be used to remotely diagnose and troubleshoot system issues. Administrators can execute diagnostic tools, access event logs, retrieve system information, or run troubleshooting scripts on remote systems to identify and resolve problems without being physically present.
Security Auditing and Patch Management: Security professionals often employ PsExec to conduct security audits, vulnerability assessments, or penetration testing exercises. It allows them to remotely execute security scanning tools, verify patch levels, and assess the security posture of remote systems within the network.
Incident Response and Forensics: During incident response investigations, PsExec aids in remotely accessing compromised systems for analysis and evidence gathering. It allows security analysts to execute commands or run forensics tools on compromised machines without directly interacting with them, minimizing the risk of further compromise or data loss.
Red Teaming and Lateral Movement: In red teaming exercises, where organizations simulate real-world attacks to test their security defenses, PsExec is often used for lateral movement within the network. Attackers can use PsExec to execute commands or run malicious payloads on compromised systems, moving laterally and escalating privileges to gain unauthorized access to sensitive resources.
Automation and Scripting: PsExec can be integrated into scripts or batch files, enabling automation of repetitive tasks across multiple systems. It provides a means to execute scripts remotely, allowing administrators to orchestrate complex operations or perform regular maintenance tasks efficiently.
However, it’s important to note that PsExec can be a powerful tool in the hands of attackers as well, since it allows them to execute arbitrary code on remote systems, potentially leading to privilege escalation and lateral movement in the network. Therefore, it is important to use PsExec securely and to limit the use of PsExec to trusted users and systems.
Installing and setting up PsExec is a straightforward process that involves the following steps:
To install PsExec, you can visit the official Microsoft website or trusted software repositories to download the PsExec executable file. Ensure that you download it from a reliable source to avoid any security risks or malware.
PsExec does not require a formal installation process. Once you have downloaded the PsExec executable file, you can save it to a directory of your choice on your local system. It is recommended to place it in a location that is easily accessible and included in the system’s PATH environment variable for convenient usage.
To connect to a remote computer using PsExec, follow these steps:
a. Open a command prompt or terminal on your local system.
b. Navigate to the directory where you saved the PsExec executable file.
c. To establish a connection with a remote computer, use the following command:
psexec \\remote_computer_name_or_IP -u username -p password command
d. Press Enter to execute the command. PsExec will establish a connection with the remote computer, authenticate using the provided credentials, and execute the specified command remotely.
e. You will see the output of the executed command in your local command prompt or terminal window.
It’s important to note that the successful connection and execution of commands using PsExec depend on the network connectivity between your local system and the remote computer, as well as the correct authentication credentials and permissions on the remote system.
PsExec offers several commonly used commands that provide administrators with powerful remote execution capabilities. Here are some of the most common PsExec commands and their functions:
PsExec \remote_computer command:
PsExec \remote_computer -s command:
PsExec \remote_computer -u username -p password command:
PsExec \remote_computer -c -f -s -d command:
PsExec \remote_computer -i session_id -d -s command:
PsExec \remote_computer -accepteula -s -c -f script.bat:
These commands represent a subset of the available PsExec commands, each serving a specific purpose in remote administration and execution.
The syntax for PsExec commands is:
psexec \computer[,computer[,..] [options] command [arguments]
psexec @run_file [options] command [arguments]
PsExec command line options:
Option | Explanation |
---|---|
\computer | The remote computer to connect to. Use \* for all computers in domain. |
@run_file | Run command against computers listed in specified text file. |
command | Program to execute on the remote system. |
arguments | Arguments to pass to remote program. Use absolute paths. |
-a | Set CPU affinity. Comma separate CPU numbers starting at 1. |
-c | Copy local program to remote system before executing. |
-f | Force copy over existing remote file. |
-v | Only copy if local program is newer version than remote. |
-d | Don’t wait for remote program to finish. |
-e | Don’t load user profile. |
-i | Interact with remote desktop. |
-l | Run with limited user rights (Users group). |
-n | Connection timeout in seconds. |
-p | Specify password for user. |
-r | Name of remote service to interact with. |
-s | Run under SYSTEM account. |
-u | Specify username for login. |
-w | Set working directory on remote system. |
-x | Display UI on Winlogon desktop. |
-low | Run at low priority. |
-accepteula | Suppress EULA dialog. |
PsExec is not a PowerShell. It is a command-line tool that allows users to run programs on remote systems.
PowerShell, on the other hand, is a task automation and configuration management framework developed by Microsoft, which includes a command-line shell and associated scripting language built on the .NET framework. PowerShell can be used to automate various tasks and perform complex operations on local or remote systems.
While both PsExec and PowerShell can be used to perform similar tasks, such as running commands on remote systems, they are different tools and have different capabilities. PsExec is designed to execute a single command or application on a remote system, while PowerShell is a more powerful framework that can be used to automate and manage various tasks, including running commands and scripts on remote systems.
Therefore, depending on the scenario, one tool may be more appropriate than the other.
PsExec works by leveraging its unique architecture and communication protocols to enable remote execution on Windows systems. Let’s explore the key aspects of how PsExec operates:
PsExec follows a client-server architecture. The client-side component, executed on the local system, establishes a connection with the server-side component running on the remote system. This connection enables the transmission of commands and data between the two systems.
PsExec uses the Server Message Block (SMB) protocol, specifically the SMB file sharing and named pipe mechanisms, to establish communication channels with remote systems. This allows for secure and reliable communication between the client and server components.
PsExec employs authentication mechanisms to ensure secure access to remote systems. It supports various authentication methods, including using a username and password, or authentication via NTLM (NT LAN Manager) or Kerberos.
To enhance security, it is crucial to follow best practices for authentication when using PsExec. These practices include utilizing strong and unique passwords, implementing multi-factor authentication where possible, and adhering to the principle of least privilege by granting only necessary permissions to PsExec users.
PsExec facilitates file and registry access on remote systems, allowing administrators to perform tasks such as copying files, executing scripts, or modifying registry settings. When executing commands remotely, PsExec temporarily copies the required executable or script to the remote system’s temporary directory before execution.
It’s important to consider potential security considerations when using PsExec for file and registry operations. For example, administrators should exercise caution when transferring sensitive files and ensure that appropriate access controls are in place to prevent unauthorized access or modification of critical system files and registry entries.
PsExec is not malware itself, but it can be used by malware and attackers to perform malicious actions.
PsExec is a legitimate tool that allows users to run programs on remote systems. It can be used for a variety of legitimate tasks such as troubleshooting, deploying software updates and patches, and executing commands and scripts on multiple systems simultaneously.
However, PsExec can also be used by attackers to gain unauthorized access to remote systems and perform malicious actions. For example, an attacker could use PsExec to execute a malicious payload on a remote system, or to move laterally within a network and gain access to sensitive information.
Therefore, it’s important to use PsExec securely and to limit the use of PsExec to trusted users and systems.
The seamless remote access PsExec enables from a source machine to a target machine is intensively abused by threat actors in the course of the lateral movement stage in cyberattacks. This would typically occur after the initial compromise of a patient-zero machine.
From that point onward, attackers seek to expand their presence within the environment and reach either domain dominance or specific data they are after. PsExec provides them with a seamless and reliable way to achieve that for the following reasons.
By combining compromised user credentials with PsExec, adversaries can bypass authentication mechanisms, gain access to multiple systems, and potentially compromise a significant portion of the network. This approach enables them to move laterally, escalate privileges, and carry out their malicious objectives with a broader impact.
PsExec is often considered a “living off the land” tool of choice for lateral movement attacks due to several key factors:
It’s important to note that while PsExec has legitimate use cases, its potential for misuse and its presence in the target environment make it an attractive tool for adversaries looking to conduct lateral movement attacks. Organizations should implement strong security measures, such as network segmentation, credential management, and monitoring systems, to detect and prevent unauthorized use of PsExec or similar tools.
Using PsExec for lateral movement offers several advantages to ransomware actors:
Endpoint protection tools may struggle to detect and prevent the malicious use of PsExec due to several reasons:
Traditional MFA tools may face limitations in preventing lateral movement using PsExec due to the following reasons:
PsExec has gained popularity among system administrators and security professionals for its legitimate and efficient remote management capabilities. However, like many tools, PsExec can also be misused for malicious purposes. In recent years, threat actors have started incorporating PsExec into their ransomware attack strategies, making it a potentially dangerous component of their arsenal.
Within the last five years, the skill barrier has dropped significantly and lateral movement with PsExec is incorporated in more than 80% of ransomware attacks, making protection against malicious authentication via PsExec a necessity for every organization.
Ransomware attacks involve malicious actors gaining unauthorized access to systems, encrypting critical data, and demanding a ransom for its release. Previously, attackers often relied on social engineering techniques or exploit kits to gain initial access. However, they have now expanded their tactics by utilizing legitimate tools like PsExec to propagate within compromised networks.
In a ransomware attack, once threat actors gain access to a single system within a network, they aim to move laterally and infect as many systems as possible. PsExec provides a convenient and efficient means for this lateral movement. Attackers use PsExec to remotely execute ransomware payloads on other vulnerable systems, spreading the infection rapidly across the network.
By incorporating PsExec into their attack chain, cybercriminals gain several advantages. First, PsExec allows them to execute commands and run malicious payloads silently and remotely, reducing the chances of detection. Second, since PsExec is a legitimate tool, it often bypasses traditional security measures that focus on known malware signatures. This allows attackers to blend in with normal network traffic, making it harder to detect their activities.
Defending against PsExec-based ransomware attacks requires a multi-layered approach. Here are some important mitigations:
Access Control: Implement strict access controls, ensuring that only authorized users have administrative access to critical systems. Limiting the number of accounts with PsExec privileges can help reduce the attack surface.
Endpoint Protection: Deploy and maintain robust endpoint protection solutions that include behavior-based detection mechanisms. These can help identify and block suspicious activity associated with PsExec usage.
Network Segmentation: Employ network segmentation to limit lateral movement opportunities for attackers. Separating critical systems and restricting access between network segments can help contain the impact of a potential ransomware infection.
Monitoring and Anomaly Detection: Implement comprehensive network monitoring and anomaly detection systems that can flag unusual or unauthorized PsExec usage. Promptly investigating and responding to such alerts can help mitigate potential damage.